Macromedia reports critical hole in Flash player

Company advises users to upgrade now to fix the flaw

Macromedia has warned of what it calls a critical security flaw in the latest version of its Flash animation player and advised users to install a new version, which it has released on the web.

The security flaw affects version 6.0 of the Flash Player freeware, which was released a year ago this month and has been installed on an estimated 75 percent of personal computers worldwide, according to the company.

The vulnerability affects the integrity of the player's "sandbox", which is supposed to act as a cordoned-off area where Flash code retrieved from the web can be run safely, without access to a user's files. The company warns that the flaw could allow a malicious hacker to run native code on a user's computer, outside the sandbox, possibly without the user's knowledge.

No users had reported having being affected by the problem as of Monday evening, a Macromedia representative said. Nevertheless, the company advised users to download a new version of the player — version 6.0.79.0 — from its website
immediately.

As well as fixing the sandbox’s vulnerability, the new version serves as a cumulative patch, addressing other security flaws reported since its release, including memory buffer overflows. It also offers other tweaks intended to boost the product’s performance.

The company offered few other details, saying only that the vulnerability was reported to Macromedia "recently" by a third party.